Unofficial news and tips about Google

February 2, 2012

Android Market's Malware Scanner

Google doesn't like to manually review user-generated content. It's not efficient and algorithms can do a better job. Imagine how many people would need to be hired to watch all the videos submitted to YouTube (60 hours of videos uploaded every minute).

In some ways, uploading an application to the Android Market is just like uploading a video to YouTube. Sure, you need to pay a fee, but you don't have to wait until a Google employee checks the application. Unfortunately, this also means that the application can include malware, deceive users, crash or spam your contacts. Google usually reviewed the app only after enough users reported that the app is malicious.

Now there's a new service called Bouncer "which provides automated scanning of Android Market for potentially malicious software without disrupting the user experience of Android Market or requiring developers to go through an application approval process. The service performs a set of analyses on new applications, applications already in Android Market, and developer accounts. Here's how it works: once an application is uploaded, the service immediately starts analyzing it for known malware, spyware and trojans. It also looks for behaviors that indicate an application might be misbehaving, and compares it against previously analyzed apps to detect possible red flags. We actually run every application on Google's cloud infrastructure and simulate how it will run on an Android device to look for hidden, malicious behavior".

That seems like a great idea: Google actually tests the apps without having to wait until other users install them and notice there's something wrong. The bad news is that this service was tested last year and was used to find potentially-malicious apps. Despite that, the apps infected by DroidDream were found by a security vendor and not by Google.

"The service has been looking for malicious apps in Market for a while now, and between the first and second halves of 2011, we saw a 40% decrease in the number of potentially-malicious downloads from Android Market. This drop occurred at the same time that companies who market and sell anti-malware and security software have been reporting that malicious applications are on the rise," says Google. Another explanation could be that Google's service is not good enough.

Google also says that Android "makes malware less potent" because it uses sandboxing, it displays the list of permissions and Android Market can remotely remove malware. I don't think that most of the users read the list of permissions. They simply ignore them, click "OK" and install the application. Maybe it would be a better idea to require users to explicitly enable sensitive permissions when they're using the apps.

While security vendors try to scare Android users and push their products, Google should focus on removing spam and malware from the Android Market and make it a safer place. Improving Android's security model and finding ways to install security updates faster are also important.